Can A QSA Rely On An ISA’s Assessment Work?

Questions have been asked at various Community Meetings over the years regarding reliance on internal and external audits, but none of us discussing this question could remember anyone asking the Council about ISAs.  The reason this issue repeatedly comes up is due to organizational audit fatigue.

With standards such as PCI, NIST, ISO and the like, some organizations can be under constant and never-ending audits.  To add to this audit onslaught, the personnel involved are, in a lot of cases, covering the same topics over and over and over.  For the people involved, these endless audits become very annoying as these people are interrogated over the same topics time and again.

For the record, when the Council has been asked about internal and external auditor results, the answer has always been an emphatic “No”.  That answer has, of course, been met with groans and complaints from the audiences that the Council is arrogant and unrealistic in how they approach assessments.  While some of these complaints are on point for policies, access controls and physical controls, there are some PCI requirements such as those in sections 1, 2, 10 and 11 that are unique in the level of detail explored and are not covered in that same level of detail in other standards’ work programs.  Both the Council and the people making complaints have their points.

So, we come back to the original question about ISAs.  In theory, ISAs are provided the same training as a QSA by the PCI SSC.  The only difference between a QSA and an ISA is that an ISA is employed by the organization being assessed.  As a result, you would assume that all things being equal, a QSA should be able to rely on an ISA’s assessment work after a review of that work.


According to the response we got back from the Council, a QSA must first ask the entity receiving the assessment if they can rely on an ISA’s assessment work.

QSAs are told not to question the work of other QSAs.  But we need to ask permission to trust the work of an ISA?  You are required to trust one, but cannot trust the other?  What kind of nonsense is this?

With answers like this, you start to wonder what the purpose of the PCI SSC is in the scheme of PCI.

And we all though the discussion about “Not Tested” was ridiculous.


15 Responses to “Can A QSA Rely On An ISA’s Assessment Work?”

  1. 1 Joe
    December 21, 2022 at 5:26 PM

    The entire PCI compliance industry (the council, QSA, ISAs) is just another example of non-value bull donkey. It is one giant, incestuous consultant driven industry…parasites of the private American economy. Private companies are perfectly capable of self validating…with the regulation coming in the form of liability. You guys are jokes.

    • January 16, 2023 at 7:39 PM

      Some QSAs are jokes and I am sorry that they are the ones that have informed your opinion. But please do not lump all of us together because a lot of us do provide value and expertise.

  2. 3 Robert
    November 17, 2017 at 6:11 PM

    ISAs generally don’t do a good job of initial scoping and managing scope through the assessment. They also don’t have the benefit of working under a group of like-minded assessors with whom they can consult when presented with a situation that taxes their breadth of knowledge or understanding of the requirements. Furthermore, they don’t have the luxury of a QA lead to review their work and they don’t have to be subjected to the AQM program. So there are reasons not to trust the results of an ISA assessment. Yes, they get the same theory blasted at them annually like a QSA, but there is nothing to substitute for on-the-ground experience that a seasoned QSA acquirers.

    • November 24, 2017 at 9:51 AM

      In my experience, it’s not so much they do a bad job scoping so much as they are TOLD what the scope is and are not allowed to question it until they have absolute, undeniable proof that the scope is wrong. Even then, the scope might not change.

      Technically, ISAs are subject to AQM review if the Council deems it necessary. Given AQM’s workload with QSAs, it would probably take a strong complaint from one of the brands to get such a review performed.

      That said, I also know of QSAs that I also don’t like to trust, but must because the Council has told me I have no other choice. So the situation there is not perfect either.

    • March 12, 2018 at 4:25 PM

      From my own experience I would tend to agree about the scope assessment process and documentation. It’s the one part of our assessment that I would like to improve. But we file SAQ D and not a ROC, so I don’t necessarily have the support to do a thorough scope assessment. I think I’m pretty well-versed in the standard and its interpretation, but once every couple of years I do turn to our QSA company for consultation. This is always when there is organizational political jockeying dependent on the answer, and somebody thinks they can win by discrediting the ISA. The QSA always agrees with me.

  3. 6 Noor
    November 14, 2017 at 10:07 AM

    As a PCI ISA myself, there is a lot of pressure on us to accommodate. When a QSA makes a point, Management/ teams have to follow and if they are not happy, they have to change the QSA’s firm . Yes, QSAs come with different judgments and they do miss the point many times but their strength is their in-dependency. I tried to combine different assessments to reduce the audit fatigue, my challenge is always the scope. Even the way each standard defines the scope is different (ex Financial audit: applications involved in the business processes that may impact the integrity of the financial reporting).
    Except the policies and the processes, the evidences required from the different systems are different.

  4. 7 Bill Membery
    November 13, 2017 at 4:30 AM

    What an excellent point and totally agree as audit overload for 27k, ISAE3402, PCI, ISO9k, SOX etc occurs in all large organisations, perhaps some standardisation and acceptance of controls around, Risk, BCP, Incident Management, Change Management and Service Delivery is in order as these are the ones that are frequently in all standards repeated and waste, time, costs and money.

    • November 13, 2017 at 6:14 AM

      Wholeheartedly agree with that, BUT … You need all the players at the table and the Council has repeatedly said they want nothing to do with it. In years past the AICPA, ISACA and other standards setting bodies have asked for meetings and the PCI SSC has supposedly rejected them.

  5. 9 Antipode
    November 12, 2017 at 4:41 PM

    Yeah, very strange statement from the SSC. Like you I assumed the trust chain of other QSA’s work extended to ISAs (who are the same in all but name).

    I guess an ISA is much more likely to lie on behalf of their employer. I completed an assessment last year for a L2 merchant who had previously been using their ISA (made redundant). Fully compliant for 3 years running, they weren’t at all surprised when I assessed them in the low 50’s %. The Acquirer wasn’t impressed, and it was pretty obvious what had been going on.

    I’ve seen other QSAs miss some fairly obvious things before, but I’ve never suspected any QSA of lying on behalf of a customer.

    • November 13, 2017 at 6:17 AM

      The biggest problems I have encountered with ISAs is their ability to properly scope the environment and their technical skills in understanding network device/server configurations and what is secure.

    • November 13, 2017 at 6:19 AM

      In my experience ISAs do not lie but they do have inexperience in conducting a proper PCI assessment because it is so different from any other assessments or audits they may have been involved.

  6. 12 PIN Head
    November 11, 2017 at 4:22 PM

    I like your post Guru. I have been involved with PIN security device qualification and key management well before the PCI SSC existed. Recently we helped a major retailer setup a PCI P2PE merchant managed solution. This same retailer has a compliant PIN key injection facility in place and when we asked the QSA if they could use the PCI PIN report as evidence that we had documented procedures, and are followed, for P2PE key management, the answer was NO!. Explanation was that PCI does not control the PCI PIN security requirements. This of course was laughable, but the meaning was that PCI PIN ‘validation’ is managed under one of the brands and PCI P2PE is listed under the PCI SSC domain.

    I have to tell you that it is very frustrating as a key management and security expert to have to deal with the various flavors of PCI requirements. If they won’t even take evidence of their own requirements to scale across different implementations, I can understand the frustration for those that have to meet even high standards and yet still have to go through the all important protection of credit card information which the brands have somehow made it the acceptors, of the very weak payment product, the responsible party.

    PIN head

    • November 11, 2017 at 4:29 PM

      Actually, the council is in the process of taking over the PIN standard for the card brands, so next year that will not be the case.

      • 14 Robert
        November 17, 2017 at 6:02 PM

        But that will only really help QSAs when engaging with entities which are “Validating Participants” in the Visa PIN program. Visa PIN Program “Participants” need only complete an SAQ annually , and there is no mandate in the Program to employ a Visa approved PIN assessor in the completion of that document. It is quite possible that a QSA may reject a SAQ completed by a Participant for their distrust in the diligence of the self-assessor.

      • November 24, 2017 at 9:54 AM

        Everything in PCI is built on a shared approach of if I have a current PCI assessment of A, then I only need to validate B, type of methodology. If A was not properly assessed, then the rest of the house of cards will fall.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

November 2017

%d bloggers like this: